Module 2:

Introduction to risks and

internal controls in a
computerised environment
PART C- APPLICATION
CONTROLS

Chapter 5: Auditing Fundamentals

T Koza
APPLICATION CONTROLS
 Application controls: Background

• Application controls defined

• An application-Is a set of procedures and programmes
designed to satisfy all users associated with a specific task.
 Manual and automated controls
 Within a particular application (e.g. sales, debtors)
 Provide reasonable assurance that recorded transactions are:
– Valid i.e. are genuine and have been authorised
– Accurate
– Complete
Application controls:
Background
People
Users, clients ,customers and
technicians
Primary objective of
application controls
To prevent, or detect and
correct misstatements arising
when a transaction is:
Processing Output
Input Working with
• Input Sending results,
Data collected, information, changing reporting and
• Processed captured distributing data
and calculating
• Output generated

Storage
Data base, files, discs, tapes
Application controls: Background…………..continued

• Thus, application controls

implemented around:
 Input: capturing and recording of
information

 Processing of data within

computer

 Distribution of output

 Changes to master file data.

Application controls: Background…………..continued
Controls regarding
•Recording data on documents
•The screen
•Capturing of data
•Electronic logs to be maintained
•The error correction process

Controls regarding
•Ensuring the correct data, files and
programs are used
•Calculating control total
•Programming of the software
•Electronic logs to be maintained, reviews to
be performed

Controls regarding
•Correctness of generation of output
•Proper distribution of output
•The receipt of output
•Electronic logs to be maintained and
reviews
Manual vs computer controls

 Three types of application controls in this context:

Independent IT dependent Programmed

manual controls manual controls Controls
•Performed •Dependant on output •Solely dependant and
independently of the produced by the performed by the
computer system computer system computer system and
•e.g. secure entry//exit •e.g. review by a operate without any
points to safeguard manager of an activity human interaction
assets from theft log/register extracted •e.g. authentication
from the system and validation tables
.refer to next slide
Programmed
control/automated controls
example……continued

Example
Authentication tables granting
access to the system,
validation control
• (such as sign tests and field
length tests) in which the
computer checks all data
captured against pre-
programmed criteria
 Class Question 3: Source -Graded Questions on Auditing 2017
The following controls have been implemented at GoodReads (Pty) Ltd, a large book wholesaling company which has a fully
computerised accounting system.

1. When a delivery is made from a supplier to GoodReads (Pty) Ltd, the receiving clerk enters the order number for the goods into the
system. If the order number is not valid, the receiving clerk will not accept the delivery.

2. A new employee cannot be successfully added to the employee masterfile without a valid income tax reference number being
entered.

3. GoodReads (Pty) Ltd recently appointed a committee to monitor and advise on the specific risks faced by the IT department.

4. When an application programme change request is made by a user department, it must be approved by the IT steering committee
and the head of the user department before it is effected.

5. All creditors are paid by electronic funds transfer. To effect a transfer, two senior employees must independently enter their unique
passwords.

6. Entry to GoodReads (Pty) Ltd’s data centre (which houses important hardware) is restricted. Swipe cards and PIN numbers are used to
limit access.

7. The company makes use of firewall and anti-virus software.

8. A purchase order must be supported by a stores requisition signed by the warehouse controller.

9. If a debtor has not paid its account within two working days of exceeding its credit terms, for example 60 days, Barry Potter the credit
controller, contacts the debtor to request payment.

10. The chief information officer conducts regular meetings with IT personnel on an individual basis, to enforce the importance of a
strong ethical culture and discuss ethical situations which may have arisen.

YOU ARE REQUIRED TO indicate whether each of the controls listed under 1 to 10 above, is a general control or an application control.
For those controls which you identify as general controls, indicate the category of general control to which each relates.
Class Discussion Question (Input
Controls)
• Refer to Question in the course notes.
 Overview of application controls
 Chapters 6 to 10: practical application of detailed application controls
 Revenue and receipts cycle
 Purchases and payments cycle
 Inventory and production cycle
 Human resources cycle
 Never in isolation to general controls!
 Key areas in application controls:

Input Processing Output

Master file changes

Overview of application • Example of a purchase order created on the
controls…..continued system

Input Controls.
• Objective: data entered
and Masterfile changes are
valid, accurate and
complete
• E.g. correct information, no
duplications, not fictitious, all
input entered.
• Must also address rejected
input
• Consequences if input
controls fail. Refer to next
slide
Input
Controls…..continued
Class Example
Consider asking a friend to be
your answer, make calls and • Failure to address input process
send message on your phone. effectively will result in:
This is what might happen:
• Unauthorised transactions
• The person may make
unauthorised calls to her being entered
friends or family using your
airtime
• Data already in the system
• Person may delete your being added to or deleted
pictures, apps or important
messages
• Errors occurring during the
• Person may download app
that are against your taste creation of data
• Person may send improper
messages to your contacts • Data being lost
e.g. forward them group
messages
• Class to discuss measures to
avoid the situation
mentioned above
 Input controls…….. continued
• Input controls are necessary over:
. • Data capturer • Computer
‘screen’

Controls over: The computer

the person screen that aids
capturing the the person
document or capturing the
data and the document
hard copy (known as
document screen aids

This is done by
This is done to means of controls
programmed into
identify and
the software
correct any (known as logical
errors timeously programmed
controls)
• Management • Computer
review of the ‘screen …
data continued’
 Input controls…… (continued)

• Input controls are achieved • Example of logical programmed

through the following: controls
• User-related/manual controls
• Documentation
Hash
• Screen aids Sign test
Totals
• Logical programmed controls
─ E.g. validity test, limit,
alphanumeric, reasonability Seque Field
etc. nce length
• Review, reporting and check test
exception monitoring
• Batch controls: Matchin
Reaso
g
– Input, control totals, control nablen
(Relate
sheets, register. ess
d data
Check
test
 Examples of logical programmed controls……..continued

Alphabetic/alphanumeri
Limit test or range
Validity test c/numeric character
test check

Only allow as
Confirms data alphabetic Test the data
entered on system characters or only against a threshold
against a Masterfile numeric characters or predetermined
to ensure validity or an error message benchmark
will pop up

e.g. debtor account

e.g. a debtor is not
number is entered
allowed to incur
and compared to e.g. An ID field that
further debt is
the account should contain only
his/her credit limit
number stored in numeric characters
threshold has been
the debtor
reached
masterfile

Read Chapter 5 page 167-170 of Auditing Fundamentals for more examples

Input controls : Comparison of manual vs computerised
Manual Environment
1. Record Procedures
– Manual comparisons are performed
to confirm the correctness of the
details
2. Authorisation and approval
– Approval is done by a senior member
through signing a document
3. Reconciliation's and independent
review
– Staff member performs comparisons
between multiple sets of data, record,
documents and physical assets
• Study Chapter 5 page 165-170 of
Auditing Fundamentals for a detailed
list
Computerised Environment
1. Record Procedures
– Program makes the comparisons between
the data captured and the information
already stored in the computer’s memory.
e.g. data on received note is matched to
data on the order form
2. Authorisation and approval
– A programmed task will not proceed if
approval has not been granted by a senior
staff through capturing his/her username
and password
3. Reconciliation's and review
– Computer automatically performs
comparisons or matching. An exception
report is reviewed and investigated. e.g.
the computer can compare CAUA031 Test
1 marks between 2017 and 2018. A report
can be extracted for exceptions where the
pass rate dropped/increased significantly.
Processing Controls
Processing controls ….continued
• Processing controls
 Occurs in computer: little/no user
intervention
 Integrity of data while being
processed
 Examples: saving a file, updating
a file (after input), generating a
report
Consequences if processing
controls fails
• Data being lost, corrupted or
changed
• Existing data being duplicated
• Invalid data being added
during processing
• Calculation or accounting errors
occurring
• Logical and rounding errors
occurring
• Incorrect version of the program
or data file being used
Processing Controls…..continued

• 2. Processing controls (continued)

 User-related controls
 Correct program and file
 Computer control totals and reports
 Controls during processing
 Review, reporting and exception monitoring
 Error correction process
 Also refer input controls.
Processing controls…..continued
User related controls
• Relate to access and
Isolation of responsibility
Correct program and file
controls
• Correct version and data file
should be used
• Files should be have clear
external name labels
• They should be process schedule
or register linking production run
with a specific time and date
Processing controls…..continued
Computer Control Totals
• Control totals to be
reconciled with control total
automatically by the
computer after processing
e.g.
• Financial fields-sums all
financial data such as total
amount invoiced
Controls during processing
• Controls in the computer detects
errors or any missing number
• e.g. A completeness test identify
missing reference numbers during
the processing of data
Output controls
• Involves distribution of data
from stored to viewed
• Hard-copy document, on-
screen display etc.
• Output valid, accurate
complete; authorised parties
only.
Consequences if Output
Controls fail
• Output being distributed to
unauthorised persons
• Output being incomplete or
inaccurate, which can result
in incorrect management
decisions or
• Output not agreeing with the
underlying
Output Controls…..continued
 User-related controls such as limiting access to the output
 Controls around the distribution of output
 Controls applicable when receiving output
 Review, reporting and exception monitoring
 Error correction process.
 Output controls……..continued
• Controls implemented

Controls over
User related Controls on Error Correction
distribution of
Controls receiving output process
output
• Access control • Should be • Reconciliation • Refer to
over printer, written policy on of input to prescribed
screen how the output output textbook: Audit
• Controls over and confidential • Performing Fundamentals
actual output information is output count
e.g. marked treated • Checking if
confidential and • Must be a blank pages
emails manual or contain words
encrypted electronic such as ‘empty
register during page’
distribution of
output
Masterfile Change Controls

Debtors
Masterfile

Payroll Creditors
Masterfile Masterfile Masterfile

Inventory
Masterfile
Masterfile change control……..continued
• When standing data • Consequences if master file
changed, added, deleted change controls fail.

• Requested by user, not • Unauthorised amendments

computer
• E.g.: Debtors/creditors
details, price lists, inventory
details
• Standing data used
repeatedly when
transactions processed
• Not all authorised
amendments being updated
on master file
• Errors in capturing
amendments
• Errors contained in the master
file data going undetected

• If data error in master file:

data errors in all affected
transactions
Masterfile change control…..continued
• 4. Master file change controls (continued)
 User-related controls
 Request forms
 Input controls
 Review, reporting and exception monitoring
 Review of standing data
Masterfile change control……..continued
• Controls implemented
Controls for advanced technologies

 Substance of controls remains same in advanced system

 Process to follow when implementing/evaluating controls over any
form of technology:
• Understanding of the technologies
• Risks
• Existing controls
• Break down into components (security, custody, input
• Actual vs theoretical controls
• Evaluate impact of existing controls
• Select suitable controls. (refer next slide for detailed process)
 Other Controls over advanced technology……continued
 Data communication
• Electronic data transmission
• Fixed-line, wireless, etc.
 Controls that should be in place
over data communication
• Process followed when
implementing or evaluating
controls over any technology
1. Obtain an understanding of
the technology used
2. Identify relevant risk
3. Identify and evaluate
adequacy of existing
controls
4. Break technology into
components: Security,
Custody, Input, processing
5. Select suitable controls
Electronic commerce, electronic funds transfers and other data
communication

 Electronic commerce: buying/selling over

electronic platform
• Electronic Communications and Transactions Act,
2002.

 Examples of primary risks with electronic

communication.
Electronic commerce, electronic funds transfers
and other data communication
Electronic commerce, electronic funds transfers and other
data communication
 Controls:
• Input controls (at capturing)
• Restricting, authenticating user (Access Controls)
• Data transfer internet(similar to processing controls)
• Legal matters (policies and procedures over privacy
• Continuity( Storage, system development by service organization)
• Logs and reviews
• Other. (Assurance logos)

Refer Auditing Fundamentals

Chapter 5 for risks and detailed
controls.
Service organisations, outsourcing and data warehousing

 Outsourcing: performed by 3rd party (“service organisation” - SO)

rather than company itself

 Data warehousing: store data on SO’s server for a fee

 Most important issues relating to data:

• Transfer from company to SO
• Ownership
• Security, protection at SO
• Losses.

Refer Auditing Fundamentals

Chapter 5 for risks and detailed
controls.
EFT controls: Components
 Capturing of data
 Restricting access of users and authenticating users
 Transfer of data over the internet
 Protecting against losses
 Policies and procedures
 Logs and reviews
 Other specialised controls.

Refer to Appendix of Auditing

Fundamentals Chapter 5 for risks and
detailed controls.